PKI employs a system of credentials known as digital certificates, or electronic documents that represent and identify individual users. A digital certificate is like an electronic identification card. It positively identifies a particular individual, organization, or application.

Besides providing information about the owner of the certificate (name, organization, e-mail address, and so forth), a digital certificate holds the owner’s public key. Under public/private key technology, a certificate owner has two keys. Parties that want to exchange messages securely with the certificate owner use the public key published on the owner’s certificate. Transmissions secured with a public key can only be successfully processed with the corresponding private key—a secret key that only the certificate owner has.

Digital certificates are issued and signed by Certificate Authorities (CAs). A CA is similar to a notary public. Its signature vouches for the identity of the individual or organization named on the certificate and attests to the validity of the public key. It also “seals” the certificate with a digital signature, which certifies the certificate’s contents and prevents it from ever being altered undetected. VeriSign and Entrust are examples of public CAs. They are considered “root-level” entities. Other intermediaries, such as financial institutions, are also permitted to issue certificates under the authority of a root CA.

You cannot verify the authenticity of a certificate without having the certificate of the CA that issued it. If the issuing CA is an intermediary, you must also have the certificate of its CA. The set of certificates required to trace the authenticity of a certificate back to a trusted CA is called a certificate chain.